Clearpass rolling expiry timers

‎02-03-201407:04 AM

Hello everybody.

I'm probably being a bit lazy, but I suspect somebody knows where the info is for this...

Assume a scenario, where I want to update a guest user/device expiry timer each time they re-connect. I.e. A guest connects and is approved/authenticated. We're doing mac-caching too by the way. They initially get created with 1 month's access. I'm good with this setup (I.e. I know how to do it). Normally, the account lasts a month obviously.

So, as an extension, assume that 5 days later, the user/device reconnects and is mac-auth'd. At that point, what I want to do, is reset their account to 1 month again. In other words, as long as they use the device within that 1 month, it keeps updating to have another month into the future. If they don't connect during the month, obviously the accounts (user and device) age out as normal.

Has anybody done this? I'm expecting it to be achievable by way of an enforcement profile? Just unsure what the variables and syntax should be?

Re: Clearpass rolling expiry timers

‎02-03-201407:35 AM - edited ‎02-03-201407:35 AM

I have done a deployment recently where the customer wanted the expiry time of the guest accounts to be automatically updated each time the user logged in (for example: expire time = current-time + 90 days)

This involved having to define a custom authentication source where we would execute a SQL UPDATE query to the local database in ClearPass.

This solution is a bit hackerish and is probably not supported by Aruba :). If you want I can share these SQL queries.

Also, for MAC-caching we are binding an endpoint directly to the guest account; we have also made some custom SQL queries for this cause since ClearPass does not do this out-of-the-box.

Re: Clearpass rolling expiry timers

Big warning on using SQL queries in your config: the database schema CAN CHANGE. If ClearPass ships updates these SQL queries might break. Use at your own risk.

Database schema, remote access

You can access the ClearPass database with the "appexternal" account (you can set this password under "cluster wide parameters" in the server configuration). Then use a program like pgAdmin (postgres admin) to create a connection.

MAC caching: bind guest user to endpoint

If you want to use MAC caching and bind the endpoint directly to the guest account follow these steps. This means when the guest account is disabled or expired, the MAC authentication will fail as well.

3) Create a MAC authenitcation service where the above authentication source is used as the authentication source

4) In the enforcement policy you can have a generic accept policy (like day of the week), make sure you have a enforcement profile in place that will return remaining_expiration in the RADIUS - IETF - Session-Timeout attribute. Use %{Authentication:MAC_cache:remaining_expiration} as the value for this.

5) For the captive portal service make sure you have a post_authentication enforcement profile in place which will update the endpoint with the guest username during captive portal login

Dynamic expire time update

If you want to update the expire-time during each login you can do this by creating a new authentication source (same method as described above). Use this authentication source as an authorization source in your service. See attached screenshot for the setings. SQL queries for this: